Risk register 


NO. 


13 05/05/17 


15 29/06/17 


Date raised Opportunity/risk description (opportunities 
shaded in blue) 


13/04/18 ICO fails to deal with issues arising from 
Operation Cederberg in a timely and effective 
way; and hence does not meet the wide range 


of expectations of stakeholders. 


01/04/17 Risk of insufficient resources to match demand 
for our services, especially during the relative 
uncertainty as we transition to a new 


regulatory regime 


28/06/17 ICO fails to meet expectations when dealing 
with priority files in a timely and effective way; 
and hence does not meet the wide range of 
expectations of stakeholders. 

26/01/18 Uncertainty around the legal framework for 
data protection and the ICO's role in EDPB 
following withdrawal from the EU. 

The ICO is seen as not being relevant to 
information rights issues by its stakeholders 
(the public, media, gov etc) in policy areas, 
engagement and the delivery of robust 
enforcement action, and hence loses 
influence. 


10/05/17 


That, as the skills of ICO staff are in high 
demand, we see an increase in staff turnover, 
either organisation wide or in discrete teams 
or departments, which has a detrimental 
impact on the capacity and capability of the 
organisation. 


The ICO GDPR change programme is not 
delivered to time to scope or within budget 


Type 


Internal/ 
External 


Internal 


Internal/ 


External 


External 


Internal/ 
External 


Internal/ 
External 


Internal 


Theme 


Reputation 


Reputation 


Legal 


Reputation 


People 


Reputation 


Probability 
(1 low, 5 
high) 


4.0 


4.0 


3.0 


3.0 


2.0 


Impact (1 
low, 5 high) 


4.0 


3.0 


4.0 


3.0 


4.0 


Overall 


priority (1 
low, 25 
high) 


Direction 


Up T 


Same & 


Same <> 


Same <> 


Same O 


Proximity 


Medium 
term 


Short term 


Medium 


term 


Medium 
term 


Medium 
term 


Short term 


Short term 


Strategic 


Strategic 


Strategic 


Strategic 


Strategic 


Strategic 


Strategic 


Strategic 


Actions required Owner 


Planning in train to increase resources on the SLT: James 
operation. We are also taking senior direction Dipple- 

to the investigation and pursuing thorough Johnstone 
lines of enquiry. 


SLT: James 
Dipple- 
Johnstone 


Review and refine projections and close 
monitoring of actual demand. Planning for 
tackling contact centre backlog being 
undertaken and resources for Operation 
Cederberg being considered; to include raising 
the question of financial resources with 


Ministers if needed. 
Process for handling priority cases agreed and SLT: James 


SLT has monthly oversight of this process and Dipple- 
the progress of cases. Johnstone 


EU withdrawal planning group set up. Position SLT: Steve 


paper on EDPB / ICO developed. Wood 
International Strategy and Technology SLT: 
strategies developed. Parliamentary and Gov Elizabeth 


Engagement Strategy is in the process of being Denham 
developed. The Information Rights Strategic 

Plan is being updated. SLT has direct oversight 

of guidance production with some guidance 

being outsourced and an SME focus to some 

comms work. 


Range of People projects underway to mitigate SLT: Paul 
strategic people risks. Progress reported to Arnold 
Change Board, SLT and MB. Implementation of 

pay systems review in response to successful 

outcome of pay case including payment of 

initial pay rises from 1 April. 


Change programme in place mitigating risk on SLT: Paul 
an ongoing basis and overseen by SLT. Arnold 


Interested 
steering 
groups / SLT 


Ops SG 


Ops/ Policy 
SG 


Policy SG 


Ops/ Policy 
SG 


All SGs 


Change 
Board 


Last 
updated 


13/04/18 


16/04/18 


04/04/18 


26/01/18 


04/04/18 


04/04/18 


29/06/17 


Risk register 


NO. Dateraised Opportunity/risk description (opportunities Type Theme Probability Impact (1 Overall Direction Proximity Strategic Actions required Owner Interested Last 
shaded in blue) (1low,5 low,5high) priority (1 steering updated 
high) low, 25 groups / SLT 
high) 
16 05/05/17 That we fail to recruit the right people with the Internal/ People 2.0 4.0 Same <> Shortterm Strategic Range of People projects intended to mitigate SLT: Paul DCEO SG 16/04/18 
right skills into the most important roles to External strategic people risks. Progress reported to Arnold 
enable the ICO to prepare for wider EU data Change Board, SLT and MB. Implementation of 
protection reforms. pay systems review in response to successful 
outcome of pay case including initial payment 
of initial pay rises from 1 April. Also 
considering the grading of technical 
investigator roles to position them at a more 
senior level. 
17 05/05/17 The ICO may have insufficient funds to meet Internal Finances 2.0 4.0 Up T Shortterm Strategic Fee raising power confirmed in Digital SLT: Paul DCEO SG 16/04/18 
business needs following the implementation Economy Act. SI has now received Treasury Arnold 
of GDPR. approval. Implementation date moved to 25th 
of May. Discussions ongoing with DCMS 
regarding the penalty regime for non payment. 
21 01/04/17 Cyber defences are not sufficiently robust External IT 2.0 3.0 Same & Medium Strategic Long standing compliance with PSM combined SLT: Paul DCEO SG 16/04/18 
because the IT environment is not maintained term with regular programme of IT health Arnold 
to the required standard, security and check/penetration tests . Working towards ISO 
integrity. 27001 compliance. 
22 24/07/17 An increasing number of regulators, some with External Reputation 2.0 3.0 Same O Medium Strategic Ongoing liaison with DCMS, other government SLT: Ops/ Policy 16/04/18 
remits related to that of the ICO, results in a term departments and other regulators. Elizabeth SG 
lack of clarity and reduced visibility of the ICO's Denham 
role 
23 05/05/17 As the ICO's fee income arrangements change Major Finances 2.0 3.0 Same <> Shortterm Strategic We will maintain 100% follow up of data SLT: Paul DCEO SG 13/10/17 
our registration service is not equipped to Project controllers who cease to renew registration Arnold 
cope and as a result the collection of the ICO's and have produced external communications 
fee income is placed at risk. to make clear the need to renew each year. 
Our project team is developing the processes 
and technology to implement new fee income 
collection service based on the future funding 
model. 
25 01/04/17 Ability of the ICO to spot emerging Internal Policy 2.0 3.0 Same & Medium Strategic Technology Strategy developed and Head of SLT: Steve All SGs 21/12/17 
technological issues and to stay on top ofthem term Technology Policy recruited. Wood 
as they develop. 
26 05/05/17 That we fail to take the opportunity to lead Internal People 2.0 3.0 Same S Longterm Strategic Range of People projects underway intended SLT: Paul DCEO SG 25/01/18 
and support all ICO staff to own and develop to mitigate strategic people risks. Progress Arnold 
their individual capability and to maximise reported to Change Board, SLT and MB. 
their personal contribution to our strategic 
goals and priorities. 
27 31/08/17 Poor industrial relations may impair Internal People 3.0 2.0 Same & Medium Strategic Regular Joint Committee meetings between SLT: Paul DCEO SG 16/04/18 
engagement between ICO management and its term TUS and Management. Regular senior level Arnold 
workforce, leading to sub-optimum engagement with trade unions during pay case 
productivity and reduced ability to deliver discussion. Implementation of first stage of the 
change. pay negotiations in April. 
28 23/02/18 The ICO fails to develop new, and maintain Internal People 2.0 3.0 Same O Medium Strategic Recruitment of Head of Workforce Planning SLT: Paul DCEO SG 27/02/18 
existing, workforce capability in line with the term and ongoing work on developing a coaching Arnold 


organisational priorities. 


management culture and resourcing learning 
and development activities. 


Risk register 


NO. Dateraised Opportunity/risk description (opportunities Type Theme Probability Impact (1 Overall Direction Proximity Strategic Actions required Owner Interested Last 
shaded in blue) (1low,5 low,5high) priority (1 steering updated 
high) low, 25 groups / SLT 
high) 

29 26/01/18 The new DPA raises unexpected demands on External Legal 3.0 2.0 Same & Medium Strategic Shadow DP Bill team, outsourced legal advice SLT: Steve Policy SG 27/02/18 
the ICO that are difficult to meet, or creates term on DP Bill and close liaison with DCMS Bill Wood 
unintended regulatory consequences. team. 

30 10/05/17 Amendments to UK legislation, needed External Policy 2.0 3.0 Same <> Shortterm Strategic Providing support to DCMS to ensure that SLT: Steve Policy SG 04/04/18 
because of GDPR and the LED, are too late to legislative changes are made. Monitoring Wood 
allow the ICO, as regulator, or the regulated passage of the Data Protection Bill. 
sector, to adequately plan and prepare for 
implementation. 

34 05/05/17 That we do not have sufficient space to Internal People 1.0 2.0 Same & Medium Strategic King's Court accommodation increases SLT: Paul DCEO SG 16/02/18 
accommodate our expanding workforce. term Wilmslow accommodation by 20-25%. Arnold 


Continuing to explore ways of best utilising ICO 
space in general as well as in the new space. 


